Ad Widget

**gospodin.horoshiy** · 18-03-2009, 14:28

In Windows,
this entry is registered in security log every time users logs on:

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 17.03.2009
Time: 11:47:07
User: WAB\user
Computer: WAB
Description:
Successful Logon:
User Name: user
Domain: WAB
Logon ID: (0x0,0xE1BD)
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: WAB
Logon GUID: -

I suppose you could try to monitor this log using item eventlog[security] and than set a trigger to look for key words in this log. Then, you could know when user logs in

**Syl** · 15-04-2009, 09:00

Thanks for the reply.
I'm running the Zabbix Server and the PHP frontend on a Linux machine.

I want to create a trigger to alert me if a specific user is not logged on Zabbix' PHP frontend between 6 PM and 9 AM.

If you have any idea/suggestion, please let me know.

**rue** · 15-04-2009, 13:48

I'd suggest a look at your zabbix-database. Table: auditlog

Configure a Userparameter, that checks entries there for "Correct Login [username]" at 9:00h for the last 10800s and a trigger on this item... .

But you wouldn't monitor an employee, wouldn't you?

cheers

Rü

**Syl** · 16-04-2009, 16:01

I'm monitoring a call centre that is hired to watch the servers during the night

I'll let you know if I manage to create this trigger.

**Syl** · 21-05-2009, 15:16

Well... I see logins are logged ( "Correct login [Syl]", for example ). But logouts or closing the browser page is not logged.

So even if at 17:00 I'm logged in, it doesn't mean that at 17:05 I'm still logged in, watching ZABBIX screens...

Right ?

**Calimero** · 22-05-2009, 09:40

Look at the 'sessions' table.

Code:

SELECT FROM_UNIXTIME(MAX(lastaccess)) AS last_access, u.userid, u.name FROM sessions AS s
JOIN users AS u ON s.userid = u.userid
GROUP BY u.userid
ORDER BY MAX(lastaccess) DESC

This is refreshed every time you hit one of zabbix' page.

I don't know in what country you work in but such monitoring of employees may require that employee be notified if in the first place (that's the law in France, for example).

And this won't tell you whether the guy is really watching the screens and not having FFox in background while watching a DVD.

**tchjts1** · 24-05-2009, 02:30

Manual logouts are logged. Look in the Zabbix GUI under Administration --> Audit.

**Syl** · 25-05-2009, 10:00

Originally posted by Calimero

Look at the 'sessions' table.
[...]

Great one Calimero. Thanks! This is how I adapted the query (I'll let you know how I created the UserParameter, also):

Code:

SELECT FROM_UNIXTIME(MAX(lastaccess)) AS last_access, u.userid, u.name FROM sessions AS s JOIN users AS u ON s.userid = u.userid GROUP BY u.userid HAVING u.userid = 16;

Where 16 is the UserID I'm interested in.

And... about the legal issues, I'll leave that to my boss :P

**Syl** · 25-05-2009, 13:08

This is how the UserParameter looks like:

Code:

UserParameter=user.online,echo `date +'%s'`-`echo "use zabbix; SELECT MAX(lastaccess) AS last_access FROM sessions AS s JOIN users AS u ON s.userid = u.userid WHERE u.userid = 16;" | mysql -uuser -ppass | grep -v last` | bc -l

The result of the trigger is the difference in seconds between the current date and the date of the last activity of that user on Zabbix.

Thanks for all your help !

Ad Widget

Trigger for user log in

Trigger for user log in

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment